Forum Discussion
Issue while deploying Sentienl Rules
I know that when deleting a Sentinel rule, you need to wait a specific amount of time before it can be redeployed. However, in this tenant, we've been waiting for almost a month and are still getting...
Hi StefanHartmann1
I've seen this in instances where there are still traces relating to that original ID, not allowing overwriting.
Note that the ID is the Name, you can use this PS query below to see the state of the rule:
Get-AzSentinelAlertRule -ResourceGroupName <RG-Name> -WorkspaceName <LogAnalytics-Name> `
| where Name -eq "<Rule-ID>"
And the equivalent removal PS: https://learn.microsoft.com/en-us/powershell/module/az.securityinsights/remove-azsentinelalertrule?view=azps-13.0.0
Outside of that you will have three options:
- If the same GUID is not explicitly required, deploy the rule under a new ID.
- Raise a Microsoft support case
- Continue waiting.
Feel free to reply if you have any issues!
"GUID is not explicitly required" Please elaborate on this?